potiuk commented on PR #67435:
URL: https://github.com/apache/airflow/pull/67435#issuecomment-4529901356
Below are the six mermaid diagrams introduced in this PR, rendered inline
via GitHub's native mermaid support. They are identical to what `breeze
build-docs` produces in the published HTML.
---
### `jwt_token_authentication.rst` — overview of components and flows
```mermaid
flowchart LR
subgraph Clients
UI[UI / browser]
CLI[CLI]
EXT[External REST clients]
end
subgraph Internal["Internal Airflow components"]
WORKER[Worker / Task]
DFP[Dag File Processor]
TRG[Triggerer]
end
APISVR[API Server]
EXECAPI[Execution API]
UI -->|JWT cookie / Bearer| APISVR
CLI -->|Bearer| APISVR
EXT -->|Bearer| APISVR
WORKER -->|Bearer<br/>workload → execution| EXECAPI
DFP -. in-process<br/>JWT bypassed .-> EXECAPI
TRG -. in-process<br/>JWT bypassed .-> EXECAPI
classDef internal fill:#eef,stroke:#446
class WORKER,DFP,TRG internal
```
---
### `jwt_token_authentication.rst` — symmetric vs asymmetric signing
```mermaid
flowchart TB
subgraph Sym["Symmetric (HS512)"]
direction LR
S1[Scheduler / API Server]
S2[Shared secret<br/>jwt_secret]
S3[Token validator]
S1 -->|sign| S2 -->|same secret<br/>also validates| S3
end
subgraph Asym["Asymmetric (RS256 / EdDSA)"]
direction LR
A1[Scheduler / API Server]
A2[Private key<br/>jwt_private_key_path]
A3[Public key /<br/>JWKS endpoint]
A4[Token validator]
A1 -->|sign| A2
A2 -. derives or<br/>publishes .-> A3
A3 -->|verify only| A4
end
classDef secret fill:#fee,stroke:#a33
classDef pub fill:#efe,stroke:#3a3
class S2 secret
class A2 secret
class A3 pub
```
---
### `jwt_token_authentication.rst` — two-token sequence (workload →
execution)
```mermaid
sequenceDiagram
autonumber
participant SCH as Scheduler
participant EXE as Executor<br/>(Celery / K8s / Local)
participant WRK as Worker
participant API as Execution API
Note over SCH: Task ready to dispatch
SCH->>SCH: generate workload token<br/>scope=workload<br/>exp =
task_queued_timeout
SCH->>EXE: workload JSON<br/>(includes token)
Note over EXE: Task waits in queue<br/>(can be minutes)
EXE->>WRK: dispatch (workload JSON)
WRK->>API: POST /run<br/>Bearer: workload token
Note over API: validates workload scope<br/>checks TI in
QUEUED/RESTARTING<br/>409 if not
API-->>WRK: 200 OK<br/>Refreshed-API-Token: execution
token<br/>(scope=execution, ~10 min)
WRK->>WRK: BearerAuth swaps to<br/>execution token
loop For all subsequent calls (heartbeats, XComs, ...)
WRK->>API: Bearer: execution token
alt token expiring (less than 20% left)
API-->>WRK: 200 OK<br/>Refreshed-API-Token: new execution token
WRK->>WRK: BearerAuth swaps again
end
end
```
---
### `jwt_token_authentication.rst` — Execution API request-time validation
pipeline
```mermaid
flowchart TD
REQ([Incoming request<br/>Authorization: Bearer ...])
REQ --> CACHE{Cached on<br/>request.scope?}
CACHE -->|yes| RET([Return cached TIToken])
CACHE -->|no| SIG[JWTValidator:<br/>verify signature]
SIG -->|fail| F1([403 Forbidden])
SIG -->|ok| STD[Verify exp / iat / nbf<br/>aud / iss]
STD -->|fail| F1
STD -->|ok| SCOPE[Default scope to<br/>'execution' if absent]
SCOPE --> SCHEMA[TIClaims:<br/>typed Pydantic schema]
SCHEMA -->|ValidationError| F1
SCHEMA -->|ok| TYP{require_auth:<br/>scope
in<br/>route.allowed_token_types?}
TYP -->|no| F1
TYP -->|yes| SELF{ti:self scope<br/>declared?}
SELF -->|no| OK([Return TIToken])
SELF -->|yes| MATCH{token.sub ==<br/>task_instance_id?}
MATCH -->|no| F1
MATCH -->|yes| OK
classDef fail fill:#fee,stroke:#a33
classDef pass fill:#efe,stroke:#3a3
class F1 fail
class OK,RET pass
```
---
### `security_model.rst` — component trust boundaries
```mermaid
flowchart LR
subgraph users["Users (untrusted by default)"]
UI[UI / browser]
CLI[CLI]
EXT[External REST clients]
end
subgraph dataplane["Worker plane (no metadata DB access)"]
WRK[Worker / Task]
end
subgraph controlplane["Control plane (metadata DB access)"]
APISVR[API Server]
SCH[Scheduler]
DFP[Dag File Processor]
TRG[Triggerer]
end
DB[(Metadata DB)]
UI -->|JWT| APISVR
CLI -->|JWT| APISVR
EXT -->|JWT| APISVR
WRK -->|JWT<br/>Execution API| APISVR
APISVR -. SQL .-> DB
SCH -. SQL .-> DB
DFP -. SQL .-> DB
TRG -. SQL .-> DB
DFP -. in-process<br/>JWT bypassed .-> APISVR
TRG -. in-process<br/>JWT bypassed .-> APISVR
classDef untrusted fill:#fee,stroke:#a33
classDef trusted fill:#efe,stroke:#3a3
classDef data fill:#eef,stroke:#446
class UI,CLI,EXT,WRK untrusted
class APISVR,SCH,DFP,TRG trusted
class DB data
```
---
### `security_model.rst` — credential-distribution matrix
```mermaid
flowchart LR
subgraph secrets["Sensitive values"]
DBC[DB connection<br/>SQL_ALCHEMY_CONN]
JWT[JWT signing key<br/>jwt_secret /<br/>jwt_private_key_path]
FERN[Fernet key]
SB_CFG[Secrets backend<br/>credentials<br/>non-worker]
SB_WRK[Secrets backend<br/>credentials<br/>worker]
REMLOG[Remote log<br/>handler kwargs]
end
subgraph components["Components"]
APISVR[API Server]
SCH[Scheduler]
DFP[Dag File Processor]
TRG[Triggerer]
WRK[Worker]
end
DBC --> APISVR
DBC --> SCH
DBC --> DFP
DBC --> TRG
JWT --> APISVR
JWT --> SCH
FERN --> APISVR
FERN --> SCH
FERN --> DFP
FERN --> TRG
FERN --> WRK
SB_CFG --> SCH
SB_CFG --> DFP
SB_CFG --> TRG
SB_WRK --> WRK
REMLOG --> SCH
REMLOG --> TRG
REMLOG --> WRK
classDef worker fill:#efe,stroke:#3a3
classDef control fill:#eef,stroke:#446
class WRK worker
class APISVR,SCH,DFP,TRG control
```
---
Drafted-by: Claude Code (Opus 4.7); reviewed by @potiuk before posting
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
